Are you saying that the browser itself is binding to port 80/443 and manipulating the firewall? If so, the typical design pattern would be to perform all your root actions early, then permanently drop to an unprivileged user. See System usernames for example code on how to do this in a snap-compliant manner.
You might also consider separating your application into different parts which adds security benefits. I don’t know how feasible that is, but eg:
- run your webserver as a separate daemon, and have it bind to port 80/443 and permanently drop to snap_daemon
- run your web browser as a separate daemon and either permanently drop immediately to snap_daemon or start is as snap_daemon
- use configure hooks/etc to setup your firewall settings or have a separate daemon modify the firewall settings
It sounds like your snap would need to plugs network, network-bind and firewall-control (and perhaps network-control).
For use of ‘browser-support’ with a daemon, your snap should be modified to use system-usernames so that the browser process is not running as root. Once that is done, we’ll ask that you continue to use system-usernames for the browser process and assuming you agree, a member of our advocacy will contact you privately and ask a few questions related to your relationship with the software, device, etc.